Give apiserver full access to kubelet API #43265
Conversation
|
This change is |
k8s-github-robot
added
the
size/XS
k8s-ci-robot
added
the
cncf-cla: yes
liggitt
added
release-note-none
|
cc @kubernetes/sig-auth-pr-reviews |
|
@mikedanese @cjcullen PTAL |
Why does this follow? All verbs on proxy, sure, but why the others? |
| - get | ||
| - apiGroups: | ||
| - "" | ||
| resources: | ||
| - nodes/log | ||
| - nodes/stats | ||
| - nodes/metrics | ||
| - nodes/spec |
There was a problem hiding this comment.
I wouldn't expect a role called "node-proxy" to have mutation rights to endpoints other than proxy.
There was a problem hiding this comment.
I can rename the role if that helps... this thing's job is to proxy to the kubelet API... to do that, it needs full access to the kubelet API.
There was a problem hiding this comment.
I can rename the role if that helps... this thing's job is to proxy to the kubelet API... to do that, it needs full access to the kubelet API.
Ok, so its more akin to our system:node-admin?
There was a problem hiding this comment.
yeah, this is the role given to the credential the apiserver uses to reach the kubelet. some deployments use a superuser credential for that.
There was a problem hiding this comment.
yeah, this is the role given to the credential the apiserver uses to reach the kubelet. some deployments use a superuser credential for that.
Ok. I think a better name would help. It makes sense for the apiserver to be a nodeadmin
There was a problem hiding this comment.
@mikedanese @cjcullen do you know what the addon manager does with the old object if we rename these?
There was a problem hiding this comment.
It'll delete the old one. No guarantees about 0 vs. 1 vs. both running.
There was a problem hiding this comment.
Node-admin sounds to me like an ops role that would be provisioning/updating node objects...
There was a problem hiding this comment.
on second thought, I agree. I think the node-proxy name is ok with a comment. the nodes/proxy resource is the most powerful one... the others were split out from nodes/proxy to allow granting those lesser permissions to specific users.
liggitt
force-pushed
the
node-proxy-role
branch
from
054706b
to
0381e62
Compare
k8s-github-robot
added
size/S
liggitt
force-pushed
the
node-proxy-role
branch
2 times, most recently
from
0d8d2a7
to
54798e8
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
@roberthbailey for approval |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cjcullen, liggitt, roberthbailey
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
liggitt
added
the
do-not-merge
|
just realized the role for kube-proxy is |
liggitt
force-pushed
the
node-proxy-role
branch
from
54798e8
to
87a8c21
Compare
k8s-github-robot
removed
the
lgtm
|
how about |
|
Still lgtm |
liggitt
added
lgtm
|
Automatic merge from submit-queue |
the kubelet stats API calls use both GET and POST. POST calls proxied through the API server were getting forbidden because only
getwas allowed.more broadly, the apiserver is responsible for proxying authorized API calls to the kubelet API... I think this means the apiserver should have access to all verbs on the kubelet subresources.
Fixes #42045